Several Major Problems

[ichigo5937]

ive been receiving several threats as well as a startup problem with my pc.

when i first bootup the machine, i would randomly be stuck at the windows logo and would need to restart the computer. also i have been receiving virus threats from my anti-virus, CA Anti-virus, which include: Vundo, Neskrit, and Galenachime.

thank you for any assistance you can give


DDS (Ver_09-01-07.01) - NTFSx86
Run by user at 22:19:01.29 on Fri 01/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1316 [GMT -5:00]

AV: CA Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\Fix Computer Files\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: {98bf871a-bcaa-8309-f224-7250ba306101}: {101603ab-0527-422f-9038-aacba178fb89} - c:\windows\system32\fjbjyi.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: Yahoo! ¤u¨ã¦C: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] ; "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [nwiz] ; nwiz.exe /install
mRun: [cctray] "c:\program files\ca\ca internet security suite\cctray\cctray.exe"
mRun: [CAVRID] "c:\program files\ca\ca internet security suite\ca anti-virus\CAVRID.exe"
mRun: [Kpetufiraw] rundll32.exe "c:\windows\eqabobit.dll",e
mRun: [Irasuqoq] rundll32.exe "c:\windows\Qraqafi.dll",e
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: turbotax.com
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: DbUi - {5CC8B6BC-86A6-A0B4-DE79-098F1ABA8592} - c:\program files\zldmste\DbUi.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\znqggucg.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\jaman player\npjaman.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {A7F65183-9C57-4715-989A-FD3057270BE4} - c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\defaults\pref\jaman.js - pref("network.protocol-handler.warn-external.jaman", false);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-12 28544]
R1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\vet-filt.sys [2008-6-9 26640]
R1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\vet-rec.sys [2008-6-9 21392]
R1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\vetefile.sys [2008-6-9 880560]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\vetfddnt.sys [2008-6-9 21648]
R1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2008-6-9 32528]
R3 PPCtlPriv;PPCtlPriv;c:\program files\ca\ca internet security suite\ca anti-spyware\PPCtlPriv.exe [2007-3-12 189704]
R3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\veteboot.sys [2008-6-9 108368]
R4 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2008-1-4 587096]
R4 CAISafe;CAISafe;c:\program files\ca\ca internet security suite\ca anti-virus\isafe.exe [2008-6-9 144960]
R4 VETMSGNT;VET Message Service;c:\program files\ca\ca internet security suite\ca anti-virus\vetmsg.exe [2008-6-9 243216]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-7-4 24652]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-3-8 44928]
S3 XDva031;XDva031;\??\c:\windows\system32\xdva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva059;XDva059;\??\c:\windows\system32\xdva059.sys --> c:\windows\system32\XDva059.sys [?]
S3 XDva064;XDva064;\??\c:\windows\system32\xdva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\xdva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\xdva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\xdva214.sys --> c:\windows\system32\XDva214.sys [?]

=============== Created Last 30 ================

2009-01-16 15:20 <DIR> --d----- c:\windows\LastGood.Tmp
2009-01-16 15:18 <DIR> --d----- c:\windows\system32\scripting
2009-01-16 15:18 <DIR> --d----- c:\windows\system32\en
2009-01-16 15:18 <DIR> --d----- c:\windows\l2schemas
2009-01-16 15:18 <DIR> --d----- c:\windows\system32\bits
2009-01-16 15:16 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-16 12:29 133,120 a------- c:\windows\eqabobit.dll
2009-01-16 12:17 41,984 a------- c:\windows\Qraqafi.dll
2009-01-16 12:17 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-15 19:18 <DIR> --d----- c:\program files\Counter-Strike
2009-01-14 19:27 124,928 a------- c:\windows\system32\zsmbkw.dll
2009-01-14 19:27 124,928 a------- c:\windows\system32\yayaXonm.dll
2009-01-14 18:27 124,928 a------- c:\windows\system32\ttjwpn.dll
2009-01-14 18:27 124,928 a------- c:\windows\system32\urqPfDSm.dll
2009-01-14 17:26 124,928 a------- c:\windows\system32\zikgdv.dll
2009-01-14 17:26 124,928 a------- c:\windows\system32\rqRIYqnN.dll
2009-01-14 16:26 124,928 a------- c:\windows\system32\wvUnKExy.dll
2009-01-14 16:11 59 a------- c:\windows\system32\senekatalqpmeo.dat
2009-01-14 16:11 3 a------- c:\windows\system32\senekadf.dat
2009-01-14 15:54 18,162 a------- c:\windows\system32\senekalog.dat
2009-01-14 10:20 152 a------- c:\windows\system32\sysplog2.dll
2009-01-14 10:20 152 a------- c:\windows\system32\sysplog.dll
2009-01-14 10:20 260,096 -------- c:\windows\system32\RICHTX32.OCX
2009-01-14 10:20 244,416 -------- c:\windows\system32\MSFLXGRD.OCX
2009-01-14 10:20 67,376 -------- c:\windows\system32\SYSINFO.OCX
2009-01-14 10:19 <DIR> --d----- c:\program files\Personal Chess Trainer 2007
2009-01-14 10:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Tarma Installer
2009-01-07 04:53 69,120 -------- c:\windows\system32\wlanapi.dll
2009-01-07 04:52 180,360 -------- c:\windows\system32\drivers\ntmtlfax.sys
2009-01-07 04:41 333,824 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-07 04:40 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-07 04:40 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 04:40 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 04:40 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 04:40 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 04:40 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 04:40 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-07 04:40 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-06 11:33 <DIR> --d----- C:\CFLog
2009-01-06 11:32 5,174 a------- c:\windows\system32\nppt9x.vxd
2009-01-06 11:32 4,682 a------- c:\windows\system32\npptNT2.sys
2009-01-06 11:32 <DIR> --d----- c:\program files\common files\INCA Shared
2008-12-22 17:29 24,840,704 a------- C:\tgatool3.bmp
2008-12-22 17:29 8,281,088 a------- C:\tgatrns3.bmp

==================== Find3M ====================

2009-01-16 15:19 87,263 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-21 16:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 16:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-13 10:32 503,808 a------- c:\windows\system32\msvcp71.dll
2008-11-13 10:32 348,160 a------- c:\windows\system32\msvcr71.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-09-20 15:16 24 a------- c:\documents and settings\user\jagex_runescape_preferences.dat
2008-03-08 16:31 61,224 a------- c:\documents and settings\user\GoToAssistDownloadHelper.exe
2007-08-20 17:04 15,505,200 a------- c:\program files\IE7-WindowsXP-x86-enu.exe
2004-09-27 21:00 26,240 a------- c:\windows\inf\RAMDSK.SYS
2001-08-22 13:15 245,760 a------- c:\windows\inf\i386\viceo.dll
2001-08-22 13:13 32,768 a------- c:\windows\inf\i386\Pmicro.dll
2001-08-22 13:13 61,440 a------- c:\windows\inf\i386\gl.dll
2001-08-03 18:29 13,824 a------- c:\windows\inf\i386\Usbscan.sys

============= FINISH: 22:19:50.73 ===============

[Ried]

Hello ichigo5937,


Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT- Save ComboFix.exe to your Desktop

--------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

--------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

FireFox::
FF - HiddenExtension: XUL Cache: {A7F65183-9C57-4715-989A-FD3057270BE4} - c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


*Be sure to follow any prompts you may receive to allow ComboFix to download the Microsoft Windows Recovery Console. Once downloaded, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


When finished, it shall produce a log for you at C:\ComboFix.txt. Please post that here for further review.

[ichigo5937]

Thank you for your quick response, and here is the requested log. I tried to upload the txt but it is too long so i attached the ComboFix.txt file.

ComboFix 09-01-17.03 - user 2009-01-18 3:03:48.13 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1367 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}\chrome.manifest
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}\chrome\content\_cfg.js
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}\chrome\content\c.js
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}\chrome\content\overlay.xul
c:\documents and settings\user\local settings\application data\{A7F65183-9C57-4715-989A-FD3057270BE4}\install.rdf
c:\windows\BM677d060f.txt
c:\windows\BM677d060f.xml
c:\windows\system32\1777be08.dll
c:\windows\system32\18b01d4d.dll
c:\windows\system32\252653ac.dll
c:\windows\system32\28e59fb8.dll
c:\windows\system32\4b00fa1.dll
c:\windows\system32\52abd25.dll
c:\windows\system32\72fd89b.dll
c:\windows\system32\cooppjjn.ini
c:\windows\system32\e3d522.dll
c:\windows\system32\mikxmeqq.ini
c:\windows\system32\mqllcrpc.ini
c:\windows\system32\sbpqjspc.ini
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\senekatalqpmeo.dat
c:\windows\system32\sysplog.dll
c:\windows\system32\sysplog2.dll

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))
.

2009-01-17 16:35 . 2009-01-17 16:35 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-16 22:22 . 2009-01-16 22:22 250 --a------ c:\windows\gmer.ini
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\en
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\bits
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\l2schemas
2009-01-16 15:16 . 2009-01-16 15:16 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-16 12:29 . 2009-01-16 12:29 133,120 --a------ c:\windows\eqabobit.dll
2009-01-16 12:17 . 2009-01-16 12:17 41,984 --a------ c:\windows\system32\chert5-998.exe
2009-01-16 12:17 . 2009-01-16 12:17 41,984 --a------ c:\windows\Qraqafi.dll
2009-01-15 19:18 . 2009-01-16 18:20 <DIR> d-------- c:\program files\Counter-Strike
2009-01-14 10:20 . 2003-04-10 04:46 260,096 --------- c:\windows\system32\RICHTX32.OCX
2009-01-14 10:20 . 2000-05-21 23:00 244,416 --------- c:\windows\system32\MSFLXGRD.OCX
2009-01-14 10:20 . 1998-06-23 22:00 67,376 --------- c:\windows\system32\SYSINFO.OCX
2009-01-14 10:19 . 2009-01-14 10:20 <DIR> d-------- c:\program files\Personal Chess Trainer 2007
2009-01-14 10:19 . 2009-01-14 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tarma Installer
2009-01-07 04:52 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2009-01-07 04:41 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-07 04:40 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 04:40 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 04:40 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-07 04:40 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-07 04:40 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 04:40 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-06 11:33 . 2009-01-06 11:33 <DIR> d-------- C:\CFLog
2009-01-06 11:32 . 2009-01-06 11:32 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-01-06 11:32 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-06 11:32 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-12-22 17:29 . 2008-12-22 17:30 24,840,704 --a------ C:\tgatool3.bmp
2008-12-22 17:29 . 2008-12-22 17:30 8,281,088 --a------ C:\tgatrns3.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:34 --------- d-----w c:\program files\Common Files\Intuit
2009-01-17 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-17 21:31 --------- d-----w c:\program files\TurboTax
2009-01-06 16:30 --------- d-----w c:\program files\SubaGames
2008-12-29 17:57 --------- d-----w c:\program files\DivX
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 03:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 09:18 --------- d-----w c:\program files\Jaman Player
2008-11-23 09:16 --------- d-----w c:\program files\windows XP uploader
2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key
2008-09-20 20:16 24 ----a-w c:\documents and settings\user\jagex_runescape_preferences.dat
2008-03-08 21:31 61,224 ----a-w c:\documents and settings\user\GoToAssistDownloadHelper.exe
2007-08-20 22:04 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2004-09-28 02:00 26,240 ----a-w c:\windows\inf\RAMDSK.SYS
2001-08-22 18:15 245,760 ----a-w c:\windows\inf\i386\viceo.dll
2001-08-22 18:13 61,440 ----a-w c:\windows\inf\i386\gl.dll
2001-08-22 18:13 32,768 ----a-w c:\windows\inf\i386\Pmicro.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.




.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-14 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-07 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-09 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-09 230928]
"Kpetufiraw"="c:\windows\eqabobit.dll" [2009-01-16 133120]
"Irasuqoq"="c:\windows\Qraqafi.dll" [2009-01-16 41984]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 423184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DbUi"= {5CC8B6BC-86A6-A0B4-DE79-098F1ABA8592} - c:\program files\zldmste\DbUi.dll [2008-07-20 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Irasuqoq]
--a------ 2009-01-16 12:17 41984 c:\windows\Qraqafi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kpetufiraw]
--a------ 2009-01-16 12:29 133120 c:\windows\eqabobit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 19:23 118784 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jamtray]
--a------ 2008-11-13 11:04 455960 c:\program files\Jaman Player\jamtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Jaman Player\\jaman-updater.exe"=
"c:\\Program Files\\Jaman Player\\jamdownloader.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-12 28544]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-03-12 189704]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-04 24652]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-03-08 44928]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva059;XDva059;\??\c:\windows\system32\XDva059.sys --> c:\windows\system32\XDva059.sys [?]
S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-06 c:\windows\Tasks\CAAntiSpywareScan_Daily as user at 10 01 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-06-09 21:01]

2009-01-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-03-07 c:\windows\Tasks\shutdown.job
- c:\documents and settings\user\Desktop\shutdown.bat []

2009-01-18 c:\windows\Tasks\User_Feed_Synchronization-{6AC3E833-CA5B-4A70-AFE7-3A257F49795D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{101603ab-0527-422f-9038-aacba178fb89} - c:\windows\system32\fjbjyi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\znqggucg.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Jaman Player\npjaman.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\jaman.js - pref("network.protocol-handler.warn-external.jaman", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 03:12:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1476)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1716)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\combofix\hidec.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\windows\system32\wscntfy.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-18 3:23:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-18 08:22:21
ComboFix2.txt 2008-07-22 02:44:01
ComboFix3.txt 2008-07-22 02:26:31
ComboFix4.txt 2008-07-21 05:17:29
ComboFix5.txt 2009-01-18 08:01:43

Pre-Run: 96,406,605,824 bytes free
Post-Run: 96,655,253,504 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
5839 --- E O F --- 2009-01-18 08:00:30

[Ried]

Hello ichigo5937,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335615-several-major-problems-post1918843.html#post1918843

Collect::
c:\windows\eqabobit.dll
c:\windows\system32\chert5-998.exe
c:\windows\Qraqafi.dll

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

---------------------------------------------------------------------

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix.txt
Kaspersky results
Update on system behavior

[ichigo5937]

Here are the requested logs. As for the system behavior, startup seems to be fine and I havent seen any warnings from my antivirus.

ComboFix 09-01-19.01 - user 2009-01-19 12:05:49.14 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1465 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eqabobit.dll
c:\windows\Qraqafi.dll
c:\windows\system32\chert5-998.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-17 16:35 . 2009-01-17 16:35 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-16 22:22 . 2009-01-16 22:22 250 --a------ c:\windows\gmer.ini
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\en
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\bits
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\l2schemas
2009-01-16 15:16 . 2009-01-16 15:16 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 19:18 . 2009-01-16 18:20 <DIR> d-------- c:\program files\Counter-Strike
2009-01-14 10:20 . 2003-04-10 04:46 260,096 --------- c:\windows\system32\RICHTX32.OCX
2009-01-14 10:20 . 2000-05-21 23:00 244,416 --------- c:\windows\system32\MSFLXGRD.OCX
2009-01-14 10:20 . 1998-06-23 22:00 67,376 --------- c:\windows\system32\SYSINFO.OCX
2009-01-14 10:19 . 2009-01-14 10:20 <DIR> d-------- c:\program files\Personal Chess Trainer 2007
2009-01-14 10:19 . 2009-01-14 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tarma Installer
2009-01-07 04:52 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2009-01-07 04:41 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-07 04:40 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 04:40 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 04:40 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-07 04:40 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-07 04:40 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 04:40 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-06 11:33 . 2009-01-06 11:33 <DIR> d-------- C:\CFLog
2009-01-06 11:32 . 2009-01-06 11:32 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-01-06 11:32 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-06 11:32 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-12-22 17:29 . 2008-12-22 17:30 24,840,704 --a------ C:\tgatool3.bmp
2008-12-22 17:29 . 2008-12-22 17:30 8,281,088 --a------ C:\tgatrns3.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:34 --------- d-----w c:\program files\Common Files\Intuit
2009-01-17 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-17 21:31 --------- d-----w c:\program files\TurboTax
2009-01-06 16:30 --------- d-----w c:\program files\SubaGames
2008-12-29 17:57 --------- d-----w c:\program files\DivX
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 03:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 09:18 --------- d-----w c:\program files\Jaman Player
2008-11-23 09:16 --------- d-----w c:\program files\windows XP uploader
2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key
2008-09-20 20:16 24 ----a-w c:\documents and settings\user\jagex_runescape_preferences.dat
2008-03-08 21:31 61,224 ----a-w c:\documents and settings\user\GoToAssistDownloadHelper.exe
2007-08-20 22:04 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-14 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-07 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-09 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-09 230928]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 423184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"DbUi"= {5CC8B6BC-86A6-A0B4-DE79-098F1ABA8592} - c:\program files\zldmste\DbUi.dll [2008-07-20 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 19:23 118784 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jamtray]
--a------ 2008-11-13 11:04 455960 c:\program files\Jaman Player\jamtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Jaman Player\\jaman-updater.exe"=
"c:\\Program Files\\Jaman Player\\jamdownloader.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-12 28544]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-03-12 189704]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-04 24652]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-03-08 44928]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva059;XDva059;\??\c:\windows\system32\XDva059.sys --> c:\windows\system32\XDva059.sys [?]
S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-06 c:\windows\Tasks\CAAntiSpywareScan_Daily as user at 10 01 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-06-09 21:01]

2009-01-19 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-03-07 c:\windows\Tasks\shutdown.job
- c:\documents and settings\user\Desktop\shutdown.bat []

2009-01-19 c:\windows\Tasks\User_Feed_Synchronization-{6AC3E833-CA5B-4A70-AFE7-3A257F49795D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Kpetufiraw - c:\windows\eqabobit.dll
HKLM-Run-Irasuqoq - c:\windows\Qraqafi.dll
MSConfigStartUp-Irasuqoq - c:\windows\Qraqafi.dll
MSConfigStartUp-Kpetufiraw - c:\windows\eqabobit.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\znqggucg.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Jaman Player\npjaman.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\jaman.js - pref("network.protocol-handler.warn-external.jaman", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 12:14:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1516)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1752)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\isafe.exe
c:\program files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\vetmsg.exe
c:\windows\system32\rundll32.exe
c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe
c:\program files\CA\CA Internet Security Suite\ccprovsp.exe
.
**************************************************************************
.
Completion time: 2009-01-19 12:23:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 17:23:39
ComboFix2.txt 2009-01-18 08:23:55
ComboFix3.txt 2008-07-22 02:44:01
ComboFix4.txt 2008-07-22 02:26:31
ComboFix5.txt 2009-01-19 17:05:01

Pre-Run: 96,624,254,976 bytes free
Post-Run: 96,602,648,576 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
210 --- E O F --- 2009-01-18 08:00:30


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, January 19, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, January 19, 2009 17:10:23
Records in database: 1648886
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 160648
Threat name: 6
Infected objects: 11
Suspicious objects: 0
Duration of the scan: 04:07:47


File name / Threat name / Threats count
C:\Program Files\zldmste\DbUi.dll/C:\Program Files\zldmste\DbUi.dll Infected: Trojan.Win32.Obfuscated.gx 1
C:\Documents and Settings\All Users\Application Data\totgdsfq\vifklolk.exe Infected: Trojan-Downloader.Win32.Agent.afgt 1
C:\Documents and Settings\user\Desktop\Sap2000\Keygen.SAP2000.exe Infected: Trojan-Dropper.Win32.Agent.xol 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\zldmste\DbUi.dll Infected: Trojan.Win32.Obfuscated.gx 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXOExVo.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkIbyWO.dll.vir Infected: Trojan.Win32.Monderc.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\vadmlejc.exe.vir Infected: Trojan.Win32.Obfuscated.gx 1
C:\QooBox\Quarantine\[4]-Submit_2009-01-19@12.05.zip Infected: Trojan-Downloader.Win32.Agent.bdlh 2
C:\SDFix\backups_old4\backups.zip Infected: Trojan.Win32.Monderc.gen 1

The selected area was scanned.

[Ried]

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Before we continue, what happened with the files ComboFix was trying to upload?

- Do you see a C:\CF-Submit.htm? If so, ensure you disable your CA Internet Security Suite so it does not hinder the upload. Then double click CF-Submit.htm and allow the upload.

- If there is no CF-Submit.htm, then please visit this sitecopy paste the following bolded text into the 'browse to file to submit' box:

C:\QooBox\Quarantine\[4]-Submit_2009-01-19@12.05.zip

Click 'Send File'


=============================================

After you have accomplished that...

Open notepad and copy/paste the text in the code box below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335615-several-major-problems-post1922291.html#post1922291

Collect::
c:\program files\zldmste\DbUi.dll
C:\Documents and Settings\All Users\Application Data\totgdsfq\vifklolk.exe

File::
C:\Documents and Settings\user\Desktop\Sap2000\Keygen.SAP2000.exe

Folder::
c:\program files\zldmste
C:\SDFix
C:\Documents and Settings\All Users\Application Data\totgdsfq

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe


When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

• Ensure you are connected to the internet and click OK on the message box.

Post the ComboFix.txt.

[ichigo5937]

I didnt find the C:\CF-Submit.htm so I submitted it through the site you suggested. As for my antivirus, I can only put it on snooze, there is no option to exit it, or shut it down completely. Here is the requested log.

ComboFix 09-01-19.05 - user 2009-01-20 8:25:54.15 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1517 [GMT -5:00]
Running from: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\Fix Computer Files\1-16-09\CFScript.txt
AV: CA Anti-Virus *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\user\Desktop\Sap2000\Keygen.SAP2000.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\totgdsfq
c:\documents and settings\All Users\Application Data\totgdsfq\vifklolk.exe
c:\documents and settings\user\Desktop\Sap2000\Keygen.SAP2000.exe
c:\program files\zldmste
c:\program files\zldmste\DbUi.dll
C:\SDFix
c:\sdfix\apps\assosfix.reg
c:\sdfix\apps\cliptext.exe
c:\sdfix\apps\download.exe
c:\sdfix\apps\dummy.sys
c:\sdfix\apps\Enable_Command_Prompt.reg
c:\sdfix\apps\ERDNT.E_E
c:\sdfix\apps\ERDNTDOS.LOC
c:\sdfix\apps\ERDNTWIN.LOC
c:\sdfix\apps\ERUNT.EXE
c:\sdfix\apps\ERUNT.LOC
c:\sdfix\apps\fix.reg
c:\sdfix\apps\FixBH.reg
c:\sdfix\apps\FixComponents.reg
c:\sdfix\apps\FIXCU.reg
c:\sdfix\apps\FIXLM.reg
c:\sdfix\apps\FixPath.exe
c:\sdfix\apps\FixRedir.reg
c:\sdfix\apps\FixSchedule.reg
c:\sdfix\apps\FixWebCheck.reg
c:\sdfix\apps\fixXP.reg
c:\sdfix\apps\FixXPsp2.reg
c:\sdfix\apps\grep.exe
c:\sdfix\apps\HaxdFix.reg
c:\sdfix\apps\HPFix.reg
c:\sdfix\apps\HPFix2.reg
c:\sdfix\apps\HPFix3.reg
c:\sdfix\apps\HPFix4.reg
c:\sdfix\apps\HPFix5.reg
c:\sdfix\apps\HPFix6.reg
c:\sdfix\apps\HPFix7.reg
c:\sdfix\apps\HPFix8.reg
c:\sdfix\apps\HPFix9.reg
c:\sdfix\apps\isadmin.exe
c:\sdfix\apps\leg2.txt
c:\sdfix\apps\legacy.txt
c:\sdfix\apps\legacybk.txt
c:\sdfix\apps\locate.com
c:\sdfix\apps\LS.exe
c:\sdfix\apps\MD5File.exe
c:\sdfix\apps\moveex.exe
c:\sdfix\apps\MyGcpvFix.reg
c:\sdfix\apps\MyGkFix2.reg
c:\sdfix\apps\Process.exe
c:\sdfix\apps\procs.exe
c:\sdfix\apps\psservice.exe
c:\sdfix\apps\Rem.txt
c:\sdfix\apps\Rem2.txt
c:\sdfix\apps\Replace\regedit.exe
c:\sdfix\apps\Replace\W2K.exe
c:\sdfix\apps\Replace\w2k\beep.sys
c:\sdfix\apps\Replace\w2k\null.sys
c:\sdfix\apps\Replace\XP.exe
c:\sdfix\apps\Replace\xp\beep.sys
c:\sdfix\apps\Replace\xp\null.sys
c:\sdfix\apps\Reset_AppInit_DLLs.reg
c:\sdfix\apps\RestartIt!.exe
c:\sdfix\apps\Restore_SecurityCenter.reg
c:\sdfix\apps\Restore_SharedAccess.reg
c:\sdfix\apps\sc.exe
c:\sdfix\apps\sed.exe
c:\sdfix\apps\SF.exe
c:\sdfix\apps\shutdown.exe
c:\sdfix\apps\srv2.txt
c:\sdfix\apps\srv2bk.txt
c:\sdfix\apps\svc.txt
c:\sdfix\apps\svcbk.txt
c:\sdfix\apps\swreg.exe
c:\sdfix\apps\swsc.exe
c:\sdfix\apps\unzip.exe
c:\sdfix\apps\vfind.exe
c:\sdfix\apps\WINMSG.EXE
c:\sdfix\apps\winsec.reg
c:\sdfix\apps\zip.exe
c:\sdfix\backups\catchme.log
c:\sdfix\backups\HOSTS
c:\sdfix\backups_old2\backupreg.zip
c:\sdfix\backups_old2\backups.zip
c:\sdfix\backups_old2\catchme.log
c:\sdfix\backups_old2\HOSTS
c:\sdfix\backups_old3\backupreg.zip
c:\sdfix\backups_old3\backups.zip
c:\sdfix\backups_old3\catchme.log
c:\sdfix\backups_old3\HOSTS
c:\sdfix\backups_old4\backupreg.zip
c:\sdfix\backups_old4\backups.zip
c:\sdfix\backups_old4\catchme.log
c:\sdfix\backups_old4\HOSTS
c:\sdfix\catchme.exe
c:\sdfix\dummy.sys
c:\sdfix\Report.txt
c:\sdfix\Report_old_1.txt
c:\sdfix\Report_old_2.txt
c:\sdfix\Report_old_3.txt
c:\sdfix\Report_old_4.txt
c:\sdfix\Report_old_5.txt
c:\sdfix\RunThis.bat
c:\sdfix\SDFIX_ReadMe_Online.url
c:\sdfix\W2K_CodecRepair.inf
c:\sdfix\XP_CodecRepair.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-17 16:35 . 2009-01-17 16:35 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0
2009-01-16 22:22 . 2009-01-16 22:22 250 --a------ c:\windows\gmer.ini
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\scripting
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\en
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\system32\bits
2009-01-16 15:18 . 2009-01-16 15:18 <DIR> d-------- c:\windows\l2schemas
2009-01-16 15:16 . 2009-01-16 15:16 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-15 19:18 . 2009-01-16 18:20 <DIR> d-------- c:\program files\Counter-Strike
2009-01-14 10:20 . 2003-04-10 04:46 260,096 --------- c:\windows\system32\RICHTX32.OCX
2009-01-14 10:20 . 2000-05-21 23:00 244,416 --------- c:\windows\system32\MSFLXGRD.OCX
2009-01-14 10:20 . 1998-06-23 22:00 67,376 --------- c:\windows\system32\SYSINFO.OCX
2009-01-14 10:19 . 2009-01-14 10:20 <DIR> d-------- c:\program files\Personal Chess Trainer 2007
2009-01-14 10:19 . 2009-01-14 10:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Tarma Installer
2009-01-07 04:52 . 2008-04-13 19:11 1,888,992 --------- c:\windows\system32\ati3duag.dll
2009-01-07 04:41 . 2008-12-11 05:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys
2009-01-07 04:40 . 2008-08-14 05:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-07 04:40 . 2008-08-14 05:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-07 04:40 . 2008-08-14 04:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-07 04:40 . 2008-09-15 07:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2009-01-07 04:40 . 2008-04-11 14:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-01-07 04:40 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-01-07 04:40 . 2008-10-15 11:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-01-06 11:33 . 2009-01-06 11:33 <DIR> d-------- C:\CFLog
2009-01-06 11:32 . 2009-01-06 11:32 <DIR> d-------- c:\program files\Common Files\INCA Shared
2009-01-06 11:32 . 2003-07-17 04:17 5,174 --a------ c:\windows\system32\nppt9x.vxd
2009-01-06 11:32 . 2004-12-31 19:43 4,682 --a------ c:\windows\system32\npptNT2.sys
2008-12-22 17:29 . 2008-12-22 17:30 24,840,704 --a------ C:\tgatool3.bmp
2008-12-22 17:29 . 2008-12-22 17:30 8,281,088 --a------ C:\tgatrns3.bmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 21:34 --------- d-----w c:\program files\Common Files\Intuit
2009-01-17 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-17 21:31 --------- d-----w c:\program files\TurboTax
2009-01-06 16:30 --------- d-----w c:\program files\SubaGames
2008-12-29 17:57 --------- d-----w c:\program files\DivX
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 03:58 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 09:18 --------- d-----w c:\program files\Jaman Player
2008-11-23 09:16 --------- d-----w c:\program files\windows XP uploader
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-13 15:32 503,808 ----a-w c:\windows\system32\msvcp71.dll
2008-11-13 15:32 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key
2008-09-20 20:16 24 ----a-w c:\documents and settings\user\jagex_runescape_preferences.dat
2008-03-08 21:31 61,224 ----a-w c:\documents and settings\user\GoToAssistDownloadHelper.exe
2007-08-20 22:04 15,505,200 ----a-w c:\program files\IE7-WindowsXP-x86-enu.exe
2004-09-28 02:00 26,240 ----a-w c:\windows\inf\RAMDSK.SYS
2001-08-22 18:15 245,760 ----a-w c:\windows\inf\i386\viceo.dll
2001-08-22 18:13 61,440 ----a-w c:\windows\inf\i386\gl.dll
2001-08-22 18:13 32,768 ----a-w c:\windows\inf\i386\Pmicro.dll
2001-08-03 23:29 13,824 ----a-w c:\windows\inf\i386\Usbscan.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-05-14 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-05-14 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"VX3000"="c:\windows\vVX3000.exe" [2007-04-10 709992]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-07 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"cctray"="c:\program files\CA\CA Internet Security Suite\cctray\cctray.exe" [2008-06-09 177416]
"CAVRID"="c:\program files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-06-09 230928]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 c:\windows\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2006-10-31 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-04-25 423184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
--------- 2006-10-20 19:23 118784 c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jamtray]
--a------ 2008-11-13 11:04 455960 c:\program files\Jaman Player\jamtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Jaman Player\\jaman-updater.exe"=
"c:\\Program Files\\Jaman Player\\jamdownloader.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-08-12 28544]
R3 PPCtlPriv;PPCtlPriv;c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [2007-03-12 189704]
R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-07-04 24652]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-03-08 44928]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva059;XDva059;\??\c:\windows\system32\XDva059.sys --> c:\windows\system32\XDva059.sys [?]
S3 XDva064;XDva064;\??\c:\windows\system32\XDva064.sys --> c:\windows\system32\XDva064.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva195;XDva195;\??\c:\windows\system32\XDva195.sys --> c:\windows\system32\XDva195.sys [?]
S3 XDva214;XDva214;\??\c:\windows\system32\XDva214.sys --> c:\windows\system32\XDva214.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-06 c:\windows\Tasks\CAAntiSpywareScan_Daily as user at 10 01 PM.job
- c:\program files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe [2008-06-09 21:01]

2009-01-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-03-07 c:\windows\Tasks\shutdown.job
- c:\documents and settings\user\Desktop\shutdown.bat []

2009-01-20 c:\windows\Tasks\User_Feed_Synchronization-{6AC3E833-CA5B-4A70-AFE7-3A257F49795D}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 21:36]
.
- - - - ORPHANS REMOVED - - - -

SSODL-DbUi-{5CC8B6BC-86A6-A0B4-DE79-098F1ABA8592} - c:\program files\zldmste\DbUi.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\windows\system32\VetRedir.dll
Trusted Zone: *.turbotax.com
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\znqggucg.default\
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Jaman Player\npjaman.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\jaman.js - pref("network.protocol-handler.warn-external.jaman", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 08:30:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1296)
c:\program files\CA\SharedComponents\PPRT\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRT\bin\CAServer.dll

- - - - - - - > 'lsass.exe'(1540)
c:\windows\system32\VetRedir.dll
c:\windows\system32\ISafeIf.dll
.
Completion time: 2009-01-20 8:33:33
ComboFix-quarantined-files.txt 2009-01-20 13:32:58
ComboFix2.txt 2009-01-19 17:23:42
ComboFix3.txt 2009-01-18 08:23:55
ComboFix4.txt 2008-07-22 02:44:01
ComboFix5.txt 2009-01-20 13:24:16

Pre-Run: 96,513,220,608 bytes free
Post-Run: 96,553,930,752 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=6 Sets=1,2,3,4,5,6
303 --- E O F --- 2009-01-20 00:18:59

[Ried]

Files received, thank you.


--------------------------------------------------------------------

Please take a moment to read our sticky topics regarding cracked software, and Perils of P2P File Sharing. Your use of both of these is what got you infected in the first place.

--------------------------------------------------------------------

Your logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points (which contain the infections) and create a new restore point.


Click Start > Run and copy/paste, or type the following bolded text into the Run box and click OK:

ComboFix /u

--------------------------------------------------------------------

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at these well written articles:

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[ichigo5937]

thank you for all your help, the system seems to be running perfectly now and I believe this can be considered as resolved.

[Ried]

You're welcome, ichigo5937.

Take care and surf safely.